Meet Eric Sheridan, Chief Innovation Officer at Tromzo

Welcome to Tromzo’s Employee Spotlight Series. Discover the unique talents and diverse backgrounds of our team members. In our second edition, we’re thrilled to feature Eric Sheridan, Chief Innovation Officer at Tromzo. 

Can you tell us more about your background? 

Starting my career fresh from college, I found myself in the unusual position of being a young consultant in application security, tasked with teaching seasoned software developers how to write secure software. I remember someone once told me I was younger than their grandchild – quite an awkward moment when you’re trying to teach!

My interest in this field was actually sparked during my college years when I wrote a paper on Buffer Overflow and format string vulnerabilities. I discovered a vulnerability in the Solaris operating system, which earned me a CVE label. Of course, at that age, I was ecstatic and couldn’t believe I could ever replicate that. Fast forward ten years, and I was writing software that did it for me!

As a consultant at Aspect Security, I wore many hats. I trained people, conducted threat modeling exercises, participated in heavy technical initiatives, design discussions, implementation discussions, and more. Being a consultant was a sink-or-swim situation, and luckily, I swam quite well.

During this time, I began contributing to what today is known as OWASP, an up-and-coming project at the time. I made significant contributions, such as creating the CSRF Guard tool to prevent CSRF attacks in applications. This work earned me some credibility in the field.

In 2011, I felt the urge to start my own company, Infrared Security, aiming to rethink static analysis. Not long after founding the company, we were approached by WhiteHat Security. They were interested in our static analysis technology, and I joined their team as their Chief Scientist.

While at WhiteHat, I helped build out the static analysis product line, contributed towards a new product around Software Composition Analysis, and developed a variant of SAST specifically for developers. We successfully positioned ourselves as a full platform play, which arguably led to the acquisition of WhiteHat by NTT.

At NTT Application Security, I took over the innovation arm of the company, leading the creation of a brand new variant of DAST for the company. I was proud of the fact that I helped get numerous products out the door and filed twelve to 14 patents during my tenure. I left when NTT was acquired by Synopsis.

I was offered a role there but realized I missed the smaller team dynamic and I began to realize that I was contributing to a significant problem – the accumulation of unaddressed vulnerabilities. It was a shock to discover that many heads of security teams had hundreds of thousands, if not millions, of vulnerabilities sitting in their backlogs. This discovery bothered me greatly, and I felt compelled to address it.

What attracted you to Tromzo? 

My path to Tromzo began when I was introduced to Harshil and Harshit through a shared contact. What intrigued me about them was that they had both personally encountered the issue I was passionate about resolving, but from unique perspectives. Unlike the leadership in many other companies addressing this challenge, these co-founders had authentic, first hand experience. Recognizing this, I understood that if my goal was to instigate meaningful change, I needed to collaborate with individuals who had not only experienced the problem but were deeply committed to rectifying it. Consequently, I was drawn to join Tromzo in the capacity of Chief Innovation Officer. 

What excites you most about the work you’re doing? 

 What truly excites me about my daily work is the tangible sense of making a difference in people’s lives. Over my decade-long career in product development, I noticed that as an organization expands, there’s a tendency to become more distanced from the customer. Instead of seeing them as individuals, they began to resemble faceless entities, rows in a spreadsheet, and that made me feel disconnected. It was difficult to ascertain if my efforts were genuinely adding value.

At Tromzo, however, the story is different. I appreciate that my work involves direct engagement with customers, which allows me to receive and incorporate their feedback. It’s gratifying when a customer says, “This issue is driving me nuts, can you help?” and I’m able to respond with a solution. Their relief is palpable when they realize they don’t have to purchase another tool, seek additional budget, or delay their project for another six months. 

Ultimately, I’ve reached a stage in my life where I want to know that my work is truly helping someone, and it’s not just about creating for creation’s sake. It’s this realization of making a difference, of genuinely helping someone, that truly thrills me about my work every day.

What motivates you day to day?

What drives me each day is the desire to make a tangible difference in people’s lives, particularly those closest to me. I have two children, aged ten and eight, who are growing up in a world increasingly dominated by technology. As they become more tech-savvy, I find myself increasingly concerned about the quality and security of the software they use. 

With the understanding I have gained from my experiences, I can’t help but worry about a future where their lives are wholly controlled by software, and the potential risks that could entail. As I age – evidenced by my hairline and graying beard – I yearn to leave a legacy where I can confidently say that I contributed to making the digital world safer.

It might sound cliché to say I want to make things better for the next generation, but it’s more personal for me. My primary goal is to make a safer digital environment for my children. That’s what truly motivates me every day.

What advice would you have for someone just getting into AppSec today?

For those seeking a technical career in application security, it’s essential to have a solid foundation in software development. This understanding could come from building applications directly or from exposure to infrastructure and DevOps in the context of infrastructure as code. To effectively apply security principles, you need to understand the underlying systems that you’re trying to protect. 

I’ve encountered many bright individuals with a strong security background but without any development experience. When these individuals interact with developers, the lack of shared understanding can be problematic, akin to mixing oil and water. So, if you’re targeting a technical role in application security, a background in development is crucial. 

If, however, your interest lies more on the business side of application security, the path might be different. Over the years, I’ve adapted my approach, but it’s not as straightforward, and I think it’s something that each individual must figure out for themselves.

Get in touch with Eric: 

Connect with Eric on Linkedin 

Check out Eric’s episode on the Future of AppSec Podcast

Join Eric and Tanya Janca on June 22 for Choosing AppSec Priorities (LinkedIn live)